Trojan Turns Smash & Grab Into Grab & Smash

Imagine being in charge of your organization's finances, and learning from your bank one morning that thieves had stolen tens of thousands of dollars from company coffers overnight using your online banking credentials. Now imagine your frustration when you go to log in to your PC to assess the damage, only to find that the computer you typically use to access the account has been kneecapped by the bad guys.

This is precisely what happened to Kathy Dake, office manager for St. Isidore Catholic Church in Danville, Calif. Dake had infected her PC with the Zeus Trojan after opening a malicious e-mail disguised as notice from the IRS about "unreported income" (see New IRS Scam Could Be Costly).

The thieves used Zeus to steal the credentials Dake uses to administer the church's bank account, and a week ago Friday she came in to work to find her computer would not boot up; Windows complained that key files had been corrupted. That same day, she also found out from her bank that in the wee hours of the morning someone had tried to transfer $87,000 out of St. Isidore's account. The attackers had instructed the bank to send the funds to more than a half dozen money mules, willing or unwitting accomplices across the country hired through work-at-home job scams.

"I came in that morning and didn't have a computer; the virus had corrupted everything," Dake said, noting that her computer was fine the day before -- when she first opened the e-mail -- and that none of her co-workers experienced similar problems. "Everyone else in the office got the same e-mail, but I'm the only one who opened it."

Dake and the church may never know for sure, but in all likelihood her computer was corrupted on purpose by the attackers, in a bid to buy them time, said Ben Greenbaum, senior researcher manager with Symantec Security Response.

Among the Zeus Trojan's many diabolical features is a command called "KOS," which stands for "kill operating system." According to the help file distributed with Zeus (the malware is sold as a kit on criminal online forums), the KOS command can crash the infected system as soon as it's issued - resulting in the dreaded "blue screen of death." Alternatively, the KOS command can be used to trash the Windows registry, usually allowing the system to function properly until it is rebooted, at which point it will simple fail to start up.

Greenbaum said some security researchers have speculated about the true purpose of this feature in Zeus. Indeed, earlier this summer, Security Fix wrote about a researcher who witnessed the implosion of a botnet of some 100,000 Zeus-infected computers, after the person(s) in control of that botnet issued the KOS command to all infected systems simultaneously (see Zeustracker and the Nuclear Option).

Greenbaum said he wasn't familiar with particulars of the St. Isidore incident, but he doubts that the bootup problems on Dake's computer were merely a coincidence.

"There have been some theories that some [Zeus] botnet masters are issuing this command after significant fraudulent transactions simply to complicate the process on the part of the victim of being able to find out what happened and perhaps take steps to retrieve their funds," Greenbaum said. "In stealing smaller amounts, a botnet master might not bother [issuing the KOS command], but if they were able to get $80,000 in one fell swoop, issuing that command would probably buy them more time to get away with the loot."

Fortunately for St. Isidore's, the bank blocked the transfers before they could be sent through.

But Irving Canner wasn't so lucky. Canner, the director of finance for The Pease Development Authority, the New Hampshire state agency that manages ports in the Portsmouth area, learned early this month that his computer had been hacked and used to initiate roughly $100,000 worth of bogus transfers to a number of money mules. When he went to log in to his employer's account at TD Bank North, he found the bank's site was unavailable.

For two days straight.

As it happens, Canner was unable to access his account online not because the hackers had trashed his machine, but because of a glitch in TD Bank's systems that blocked customers up and down the East Coast from being able to log in to the bank's site.

TD Bank ran full page ads in The Washington Post and other major newspapers apologizing for the outage, which it said stemmed from planned upgrades that encountered some unexpected "issues" that led to delays in updating account balances. "Online banking was temporarily unavailable for short periods of time," the company acknowledged.

Canner said he has been working with bank officials via the phone to get the unauthorized charges reversed. So far, the bank is still trying to retrieve about $30,000 worth of bogus transfers.

What's happening with Zeus is horrible. But what's being overlooked is the poor accounting practices that's allowing it to happen. As a best practice, at a minimum, 2 people should be required to move money out of an account. In almost all of the cases reported to date, had this simple accounting measure been in place, the attempts to transfer money out of the victims's accounts would have failed.

What there needs to be is cooperation between the banks and the businesses. Can't the banks set up a white list of accounts that a business normally does business with, along with account numbers, and authorize payments to those accounts, using the two-person authentication method. When the bank gets a request to transfer money exceeding a certain amount (to be determined by the bank and the customer) and the number of those transfer requests in a day, to hold those transfers for written approval by an officer of the business.

The banks need to be held somewhat responsible for some of this problem. the business banking rules need to be changed to allow a business to reconcile their account. The Pease Development Authority was hit for $100k and as luck would have it, the bank on-line systems were down for several days. How is a business supposed to handle that situation?

Even in a consumer account, they will authorize/transfer any amount up to the account balance without any input from the customer. The only thing is that a customer has some time to dispute a fraudulent transfer.

@BTKrebs True enough, though I think an auditor (which I am not) would point out that if the KY Treasurer had the ability to change the judge's password and then access his credentials to wire money, then dual controls were not properly implemented. And it bit them on the keister.

Sadly, I fear that this is going to get a lot worse before it gets better.